Skip to main content
Question

Removing Local Admin Privilege using a Script


Forum|alt.badge.img+3
  • New Contributor
  • 2 replies

Hello,

I been trying to remove local admin privilege for all users, but with an exception of two Local accounts. I was able to find a script from a previous post. For the most part it works, but one of the local admin account name has spaces in it. So when I run the script it takes in each word as a separate user. For example: if the admin account name is "The Admin" it would run as "The" as one account name and "Admin" as another account name. Not sure why the space is a delimiter. Any help would be appreciated!  

#!/bin/sh adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c -18) for user in $adminUsers do if [ "$user" != "root" ] && ( [ "$user" != "The Admin" ] || [ "$user" != "secondAdmin" ] ) then dseditgroup -o edit -d $user -t user admin if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi else echo "Admin user $user left alone" fi done

 

4 replies

Forum|alt.badge.img+19
  • Honored Contributor
  • 582 replies
  • February 14, 2023

Spaces are delimeters in a BASH array. You are creating the array adminUsers and then looping through it. if you were to echo $adminUsers you see something like:

root user1 The Admin secondAdmin

To BASH that is 5 different array elements. 

The big question is how do have a username with a space in it? That should not be possible. Are you sure "The Admin" is a username and not a Real Name? 

Also, your cut command in the 2nd line is incorrect. It should cut -c 18- . Otherwise you are getting the first 18 characters. 


Forum|alt.badge.img+3
  • Author
  • New Contributor
  • 2 replies
  • February 14, 2023
Tribruin wrote:

Spaces are delimeters in a BASH array. You are creating the array adminUsers and then looping through it. if you were to echo $adminUsers you see something like:

root user1 The Admin secondAdmin

To BASH that is 5 different array elements. 

The big question is how do have a username with a space in it? That should not be possible. Are you sure "The Admin" is a username and not a Real Name? 

Also, your cut command in the 2nd line is incorrect. It should cut -c 18- . Otherwise you are getting the first 18 characters. 


Hello, Thanks for the response!
After doing some digging, a previous person that used to work on Jamf, created this setting in PreStage enrollment where it created a local admin account with spaces in it. And I guess by creating it this way, the username was able to have space in it? 

My worry was that other devices may have different usernames with spaces in it. So if I need to remove admin privilege from it, it wouldn't work. But from what it sounds like, there should be no other accounts with spaces in them, unless it was done by how I mention above.

I thought the - after the 18 means it cut the characters after the 18th character? When I tried the script with the dash after the 18, and I did an echo of the results, it returned with nothing


piotrr
Forum|alt.badge.img+8
  • Contributor
  • 132 replies
  • February 15, 2023

Could you use the user ID instead? Not that I know if dseditgroup takes GIDs for operations. 


Forum|alt.badge.img+16
  • Valued Contributor
  • 182 replies
  • February 15, 2023

Ignoring the space existing in a username issue the scripting part could be done this way

# by replacing [ with [[ you're able to wildcard the comparison. # instead of seeing if the username = "The Admin" see if it = *"Admin"* if [[ "$user" != "root" ]] && [[ "$user" != *"Admin"* ]] && [[ "$user" != "secondAdmin" ]] ; then

 


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings